Ban empty usernames and passwords in uv auth (#15743)

Otherwise, you can get yourself in a weird state?
2025-10-27 18:36:44 +00:00 · 2025-09-09 06:23:33 -05:00 · 2025-09-09 06:23:33 -05:00 · 9d3a3843c3
commit 9d3a3843c3
parent 484004871c
4 changed files with 73 additions and 0 deletions
--- a/crates/uv/src/commands/auth/login.rs
+++ b/crates/uv/src/commands/auth/login.rs
@ -108,6 +108,9 @@ pub(crate) async fn login(
            bail!("No username provided; did you mean to provide `--username` or `--token`?");
        }
    };
+    if username.is_empty() {
+        bail!("Username cannot be empty");
+    }

    let password = match (password, url_password, token) {
        (Some(_), Some(_), _) => {
@ -138,6 +141,10 @@ pub(crate) async fn login(
        }
    };

+    if password.is_empty() {
+        bail!("Password cannot be empty");
+    }
+
    let display_url = if username == "__token__" {
        url.without_credentials().to_string()
    } else {
--- a/crates/uv/src/commands/auth/logout.rs
+++ b/crates/uv/src/commands/auth/logout.rs
@ -50,6 +50,9 @@ pub(crate) async fn logout(
        (None, Some(url)) => url.to_string(),
        (None, None) => "__token__".to_string(),
    };
+    if username.is_empty() {
+        bail!("Username cannot be empty");
+    }

    let display_url = if username == "__token__" {
        url.without_credentials().to_string()
--- a/crates/uv/src/commands/auth/token.rs
+++ b/crates/uv/src/commands/auth/token.rs
@ -56,6 +56,9 @@ pub(crate) async fn token(
        (None, Some(url)) => url.to_string(),
        (None, None) => "__token__".to_string(),
    };
+    if username.is_empty() {
+        bail!("Username cannot be empty");
+    }

    let display_url = if username == "__token__" {
        url.without_credentials().to_string()
--- a/crates/uv/tests/it/auth.rs
+++ b/crates/uv/tests/it/auth.rs
@ -774,6 +774,38 @@ fn login_text_store() {
    Stored credentials for https://example.com/
    "
    );
+
+    // Empty username should fail
+    uv_snapshot!(context.auth_login()
+        .arg("https://example.com/simple")
+        .arg("--username")
+        .arg("")
+        .arg("--password")
+        .arg("testpass"), @r"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    error: Username cannot be empty
+    "
+    );
+
+    // Empty password should fail
+    uv_snapshot!(context.auth_login()
+        .arg("https://example.com/simple")
+        .arg("--username")
+        .arg("testuser")
+        .arg("--password")
+        .arg(""), @r"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    error: Password cannot be empty
+    "
+    );
 }

 #[test]
@ -907,6 +939,20 @@ fn token_text_store() {
    ----- stderr -----
    "
    );
+
+    // Empty username should fail
+    uv_snapshot!(context.auth_token()
+        .arg("https://example.com/simple")
+        .arg("--username")
+        .arg(""), @r"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    error: Username cannot be empty
+    "
+    );
 }

 #[test]
@ -957,6 +1003,20 @@ fn logout_text_store() {
    Removed credentials for https://example.com/
    "
    );
+
+    // Empty username should fail
+    uv_snapshot!(context.auth_logout()
+        .arg("https://example.com/simple")
+        .arg("--username")
+        .arg(""), @r"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    error: Username cannot be empty
+    "
+    );
 }

 #[test]